Steps to Take When a Breach Occurs

A breach of data requires immediate, well-coordinated action. Having a clear protocol in place long before the breach occurs is crucial. Following the steps below can help create an organized and coordinated response.

Seriousness of Breach

First, determine the seriousness of the breach. This will involve an assessment by the technical services group and department responsible for the data. This can be difficult. In November of 2018, Marriott International discovered a breach of customer data impacting 500 million customers that had actually taken place in 2014. According to a New York Times article, a Chinese intelligence group gathering data on U.S. citizens was responsible. This is the largest known breach of personal data compromised by a state actor.

Review of Law

When it is clear the type of  personal identifying information or personal information involved, whom the data concerns, and where those concerned reside, the path forward becomes clear. This also helps the employer know what law to review when there is a data breach. It will depend upon the type of breach, whom it affects, and which laws apply. Having immediate access to an attorney well-versed in cyber-security law is essential.

Notification Requirements

The laws implicated will guide the notifications that must be made and to whom. For example, if the breach involves Colorado residents, the law dictates that if personal identifying information was involved, an employer must follow its data-security policy. However, if personal information were breached, in addition to following the policy, the employer would need to notify the victims of the breach, along with the attorney general. Criminal laws may come into play as well, and may implicate other requirements.


Once there is a breach, a coordinated response is in order. Edward C. Hopkins Jr., a cyber-security attorney, recommends:

  • Retaining an attorney or other cyber-security professional who practices in the area of privacy law and has had experience dealing with the release of sensitive information, and tasking this professional or the team to communicate with government agencies;
  • Assembling a lead team to coordinate an investigation to determine the breadth and depth of the breach, and sending this team’s contact information to internal stakeholders so there is a free flow of information;
  • Deploying a security team to secure the breached system, and a forensics team to obtain and preserve evidence;
  • Coordinating and informing third-party vendors and business partners affected by the breach; and
  • Using a public-relations professional and a high-level customer service manager to develop and execute a communication and action plan for communicating with the public and with clients, and to assist clients affected by the breach.

Employers Council will continue to bring you news and best practices on this topic.